Demystifying Myth Stealer: A Rust Based InfoStealer

By Niranjan Hegde, Vasantha Lakshmanan Ambasankar and Adarsh S · June 5, 2025

Introduction

During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust. Upon further investigation, we discovered that it was Myth Stealer which was being marketed on Telegram since late December 2024. Initially, it was offered for free for trial, and later evolved to a subscription-based model.

Our investigation revealed that this infostealer is distributed through various fraudulent gaming websites. Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background. The infostealer targets both Gecko-based and Chromium-based browsers, extracting sensitive data including passwords, cookies, and autofill information. It also contains anti-analysis techniques such as string obfuscation and system checks using filenames and username.

The malware authors regularly update stealer code to evade AV detection and introduce additional functionality such as screen capture capability and clipboard hijacking.

Malware service provider

Figure one below shows one of the promotional posts made in active Telegram groups to garner attention and customers. This post was made in late December 2024.

A Telegram channel was used to share updates about the Myth Stealer malware. An organized team likely developed and maintained it, based on activity in the channel. After Telegram shut down the initial channel, the operators created a new group to continue sharing malware updates. They routinely announce new versions in this group, emphasizing zero detection rates on VirusTotal. Users need to rebuild the malware to integrate the latest updates into their builds.

Currently, the malware is offered on a weekly and monthly subscription basis. It can be purchased using crypto-currency and Razer Gold. Additionally, they maintained a separate channel titled 'Myth Vouches & Marketplace,' where the users of this stealer provide testimonials and advertise the sale of compromised accounts obtained using this stealer. It is currently shut down by Telegram. 

Distribution of malware

The malware is distributed in the wild disguised as game-related software. Figure three shows various fraudulent gaming websites used for spreading the stealer. The files from such websites are served in one of the following forms:

• Password-protected rar file. In most cases, password would be the name of the game suffixed with the string “beta” or “alpha”
• Rar archive containing stealer executable file along with various legitimate game-related files
• Zip archive containing other files such as README.md with instructions on how to run the game
• Standalone exe file

In another instance, we uncovered an actor who had posted a link to a malicious RAR file in an online forum under the guise of a cheat software named “ddtrace krx ultimate Crack”. To establish credibility within the forum community, the actor provided a Virustotal Link which showed zero detection at that time.

Capabilities 

As per our investigation, the malware evolved over a period of time. Initially, when distributed as a free trial version, it only stole data from applications.  When it transitioned to a subscription based model, it was sold with additional functionalities such as displaying a fake window, taking screenshots, clipboard hijacking  etc.

The team behind this malware keeps refactoring and updating the code to ensure that the malware has no detection in VirusTotal. These updates include changing libraries used to display a fake window, updating the communication with the C2 server etc. In the following sections, we’ve detailed various functionalities shown by the malware across its different versions.

Currently, the malware is a 64-bit sample written in Rust containing a loader which decrypts and executes the stealer component. 

Loader with a fake window

Once the malware is successfully downloaded and executed in the victim's machine , the loader displays a fake window to the user. These fake windows are used to fool the victim into thinking that a legitimate application is executed.

Figure five shows a few fake windows used by the loader. It uses the Rust crate: native-windows-gui or egui or native_dailog to create and display the fake window.

While the fake window is shown to the victim, the loader decrypts the stealer component using either XOR or AES encryption, utilizing the Rust crate include-crypt.

In recent versions, the loader uses a custom algorithm to decrypt the stealer component.

The decrypted file is a DLL written in Rust, which is then executed directly in memory using the Rust crate memexec .

Decrypted DLL File (Stealer component)

The stealer component is a 64-bit DLL file. It has 2 exports namely: “DllMain” and “bz_internal_error”.

Anti-analysis techniques

String obfuscation

The stealer uses the Rust crate obfstr for string obfuscation.

In some of the samples, the obfuscation was done in the following way:

• Given a string: “Hello”, its hexadecimal representation is: “48656c6c6f” which is then represented as a result of an xor operation:  6addcf5a78 ^ 22b8a33617
• One string (assume “6addcf5a78” in this case) is stored at a location which is dereferenced in xor operation.
• The reference is later replaced with a call to function obstr::xref::inner which accepts two literal values as parameters.

Each implementation of function obstr::xref::inner performs different mathematical operations which ultimately returns the reference address of the string.

In order to deobfuscate it, we wrote a Java Ghidra Script by referring the following scripts:

• https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/ghidra_scripts/ShowCCallsScript.java
• https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/ghidra_scripts/EmuX86DeobfuscateExampleScript.java
• https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/ghidra_scripts/AssembleScript.java

Once Ghidra has finished analyzing the sample, the script upon execution performs the following steps:

• Find all the locations with the symbol (obfstr::xref::inner) which would be the starting address of those functions
• Using the starting address of those functions, get all the call references along with the address
• Visit each of these addresses, find the corresponding decompiled output. The decompiled output would look like this:

local_018 = obfstr::xref::inner(<literal value a>, <literal value b>)

• From this corresponding decompiled output, extract the values passed to it
• Emulate all the call references to obfstr::xref::inner while passing the extracted values to it
• Once the emulation returns a result, patch the corresponding call references with: MOV EAX, <returned value from emulation>

After patching, the binary was re-analyzed to examine string constants in the decompiled code. Some strings appeared as hexadecimal constants. To expedite analysis, another script was created to convert these hexadecimal constants in the decompiled output into strings and add them as comments.

Sandbox evasion via username and filenames checks

The stealer first determines if it's operating within a sandbox by examining the system for specific usernames and files, detailed in the appendix. If any of these are detected, it will cease its execution.

Process Termination

The malware terminates the following process if they are running:

• chrome.exe
• firefox.exe
• brave.exe
• opera.exe
• kometa.exe
• orbitum.exe
• centbrowser.exe
• 7star.exe
• sputnik.exe
• vivaldi.exe
• epicprivacybrowser.exe
• msedge.exe
• uran.exe
• yandex.exe
• Iridium.exe
• GoogleCrashHandler.exe
• GoogleCrashHandler64.exe

Stealing data from applications

The malware steals the following sensitive user data from applications such as Discord, Chrome etc. 

• Passwords
• Cookies
• Autofills
• Saved Credit Card information

The full list of applications that have been targeted is mentioned in the Appendix section.

Cookies extraction from Chromium-based browsers

Remote Debugging

In the case of Chromium-based browsers, the stealer uses remote debugging in order to extract cookies from it. The remote debugging process utilises the following parameters:

• --remote-debugging-port=9222
• --remote-allow-origins=*
• --user-data-dir=%LocalAppData% + <path to the user data directory>
• --headless

For msedge.exe, an extra parameter: --edge-skip-compat-layer-relaunch is utilized.

Using admin privileges

In the latest version of the stealer, it attempts to gain administrative privileges using the Windows-API “ShellExecuteW” with the parameters: “runas” and full path of the malware sample.

Once the stealer has administrative privileges, it uses the technique similar to the one implemented here to steal the cookies.

Clipboard hijacking

The stealer monitors clipboard to intercept any cryptocurrency transactions by replacing the victim’s intended recipient with the attacker’s wallet address.

The following wallet addresses are found to be in use:

Exfiltrating data from the system

After collecting user data, the infostealer sends it to the command and control (C2) server at 185[.]224[.]3[.]219:8080. In the previous version, it used the domain: “myth[.]cocukporno[.]lol” 

C2 server then relays the data to the attacker's registered webhook. Notably, all requests originating from the malware sample include the header "myth-key". In the latest version, header “key” is used instead.

The stealer collects data such as tokens and cookies and packages it into a zip file. This zip file is then transmitted to either the “/myth” or “/f” endpoint. In some versions, it would encode the zip file using base64 before transmission. In the latest version, the zip file is reversed by bytes and sent to “/api/send” endpoint.

Furthermore, the stealer generates a JSON file that summarizes the user data exfiltrated from the system. This was sent to either the “/myth” or “/e” endpoint. This is notably absent in the latest version.

In one of the samples, the data is directly sent to a discord webhook instead of the C2 server.

Taking screenshots

The stealer first makes a GET request to ipify.org to fetch the ip address of the victim. This is used by the attacker to identify the victim’s system.

Then the stealer captures a screenshot of the compromised system after very few milliseconds and transmits it to 185[.]224[.]3[.]219/screen

Persistence mechanism

The stealer drops a copy of itself named “winlnk.exe” in the  “C:\Users\<redacted>\AppData\Roaming” directory. It also creates a file named “mcr.lnkk” in “C:\Users\<redacted>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”

The files “winlnk.exe” and “mcr.lnkk” are linked by creation of the following registry entries:

• HKCU\Software\Classes\.lnkk\(Default)  =  lnkkfile

• HKCU\Software\Classes\lnkkfile\shell\open\command\(Default)  =  C:\Users\<redacted>\AppData\Roaming\winlnk.exe" "%1

When the system is restarted, ultimately “winlnk.exe” is executed.

Conclusion

The newly emerged Rust-based infostealer, Myth Stealer, continues to evolve across its versions, making it progressively harder for security solutions to detect. Its use of string obfuscation, stealthy C2 communication, and features like a fake  window reflect the threat actors' advanced evasion techniques. The consistent development and enhancement of Myth Stealer underscore the attackers' determination to stay ahead of security defenses, posing a serious and persistent risk to users. To effectively mitigate the risk, security tools alone are not enough. A continuous monitoring and swift response to alerts as well as a proactive threat management is the need of the hour.

Coverage

IOC

Hashes:

URLs/Domains:

Appendix:

The list of username checked by the malware: 

The list of files checked by the malware:

The list of applications targeted

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/